diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 31c4bc8a10654..99b91e684c620 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3811,37 +3811,35 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 
 		switch ( $this->get_tag() ) {
 			case 'SCRIPT':
-				/**
-				 * This is over-protective, but ensures the update doesn't break
-				 * the HTML structure of the SCRIPT element.
-				 *
-				 * More thorough analysis could track the HTML tokenizer states
-				 * and to ensure that the SCRIPT element closes at the expected
-				 * SCRIPT close tag as is done in {@see ::skip_script_data()}.
-				 *
-				 * A SCRIPT element could be closed prematurely by contents
-				 * like `</script>`. A SCRIPT element could be prevented from
-				 * closing by contents like `<!--<script>`.
-				 *
-				 * The following strings are essential for dangerous content,
-				 * although they are insufficient on their own. This trade-off
-				 * prevents dangerous scripts from being sent to the browser.
-				 * It is also unlikely to produce HTML that may confuse more
-				 * basic HTML tooling.
+				$script_content_type = $this->get_script_content_type();
+
+				switch ( $script_content_type ) {
+					case 'javascript':
+					case 'json':
+						$escaped_content                          = self::escape_javascript_script_contents( $plaintext_content );
+						$this->lexical_updates['modifiable text'] = new WP_HTML_Text_Replacement(
+							$this->text_starts_at,
+							$this->text_length,
+							$escaped_content
+						);
+						return true;
+				}
+
+				/*
+				 * Unrecognized script content types cannot be escaped.
+				 * Reject contents that are potentially dangerous.
 				 */
 				if (
-					false !== stripos( $plaintext_content, '</script' ) ||
-					false !== stripos( $plaintext_content, '<script' )
+					false !== stripos( $plaintext_content, '<script' ) ||
+					false !== stripos( $plaintext_content, '</script' )
 				) {
 					return false;
 				}
-
 				$this->lexical_updates['modifiable text'] = new WP_HTML_Text_Replacement(
 					$this->text_starts_at,
 					$this->text_length,
 					$plaintext_content
 				);
-
 				return true;
 
 			case 'STYLE':
@@ -3891,6 +3889,345 @@ static function ( $tag_match ) {
 		return false;
 	}
 
+	/**
+	 * Returns the content type of the currently-matched SCRIPT tag, if matched and
+	 * recognized, otherwise returns `null` to indicate an unrecognized content type.
+	 *
+	 * Note! This concept is related but distinct from the MIME type of the script.
+	 * Parsing MUST match the specific algorithm in the HTML specification, which
+	 * relies on exact string comparison in some cases.
+	 *
+	 * Only 'javascript' and 'json' content types are currently recognized.
+	 *
+	 * @see https://html.spec.whatwg.org/multipage/scripting.html#prepare-the-script-element
+	 *
+	 * @since 7.0.0
+	 *
+	 * @return 'javascript'|'json'|null Type of script element content if matched and recognized.
+	 */
+	private function get_script_content_type(): ?string {
+		// SVG and MathML SCRIPT elements are not recognized.
+		if ( 'SCRIPT' !== $this->get_tag() || $this->get_namespace() !== 'html' ) {
+			return null;
+		}
+
+		/*
+		 * > If any of the following are true:
+		 * >   - el has a type attribute whose value is the empty string;
+		 * >   - el has no type attribute but it has a language attribute and that attribute's
+		 * >     value is the empty string; or
+		 * >   - el has neither a type attribute nor a language attribute,
+		 * > then let the script block's type string for this script element be "text/javascript".
+		 */
+		$type = $this->get_attribute( 'type' );
+		$lang = $this->get_attribute( 'language' );
+
+		if ( true === $type || '' === $type ) {
+			return 'javascript';
+		}
+
+		if ( null === $type && ( null === $lang || true === $lang || '' === $lang ) ) {
+			return 'javascript';
+		}
+
+		/*
+		 * > Otherwise, if el has a type attribute, then let the script block's type string be
+		 * > the value of that attribute with leading and trailing ASCII whitespace stripped.
+		 * > Otherwise, el has a non-empty language attribute; let the script block's type string
+		 * > be the concatenation of "text/" and the value of el's language attribute.
+		 */
+		$type_string = is_string( $type ) ? trim( $type, " \t\f\r\n" ) : "text/{$lang}";
+
+		// All matches are ASCII case-insensitive; eagerly lower-case for comparison.
+		$type_string = strtolower( $type_string );
+
+		/*
+		 * > If the script block's type string is a JavaScript MIME type essence match, then
+		 * > set el's type to "classic".
+		 *
+		 * > A string is a JavaScript MIME type essence match if it is an ASCII case-insensitive
+		 * > match for one of the JavaScript MIME type essence strings.
+		 *
+		 * > A JavaScript MIME type is any MIME type whose essence is one of the following:
+		 * >
+		 * > - application/ecmascript
+		 * > - application/javascript
+		 * > - application/x-ecmascript
+		 * > - application/x-javascript
+		 * > - text/ecmascript
+		 * > - text/javascript
+		 * > - text/javascript1.0
+		 * > - text/javascript1.1
+		 * > - text/javascript1.2
+		 * > - text/javascript1.3
+		 * > - text/javascript1.4
+		 * > - text/javascript1.5
+		 * > - text/jscript
+		 * > - text/livescript
+		 * > - text/x-ecmascript
+		 * > - text/x-javascript
+		 *
+		 * @see https://mimesniff.spec.whatwg.org/#javascript-mime-type-essence-match
+		 * @see https://mimesniff.spec.whatwg.org/#javascript-mime-type
+		 */
+		switch ( $type_string ) {
+			case 'application/ecmascript':
+			case 'application/javascript':
+			case 'application/x-ecmascript':
+			case 'application/x-javascript':
+			case 'text/ecmascript':
+			case 'text/javascript':
+			case 'text/javascript1.0':
+			case 'text/javascript1.1':
+			case 'text/javascript1.2':
+			case 'text/javascript1.3':
+			case 'text/javascript1.4':
+			case 'text/javascript1.5':
+			case 'text/jscript':
+			case 'text/livescript':
+			case 'text/x-ecmascript':
+			case 'text/x-javascript':
+				return 'javascript';
+
+			/*
+			 * > Otherwise, if the script block's type string is an ASCII case-insensitive match for
+			 * > the string "module", then set el's type to "module".
+			 *
+			 * A module is evaluated as JavaScript.
+			 */
+			case 'module':
+				return 'javascript';
+
+			/*
+			 * > Otherwise, if the script block's type string is an ASCII case-insensitive match for the string "importmap", then set el's type to "importmap".
+			 * > Otherwise, if the script block's type string is an ASCII case-insensitive match for the string "speculationrules", then set el's type to "speculationrules".
+			 *
+			 * These conditions indicate JSON content.
+			 */
+			case 'importmap':
+			case 'speculationrules':
+				return 'json';
+
+			/** @todo Rely on a full MIME parser for determining JSON content. */
+			case 'application/json':
+			case 'text/json':
+				return 'json';
+		}
+
+		/*
+		 * > Otherwise, return. (No script is executed, and el's type is left as null.)
+		 */
+		return null;
+	}
+
+	/**
+	 * Escape JavaScript and JSON script tag contents.
+	 *
+	 * Ensure that the script contents cannot modify the HTML structure or break out
+	 * of its containing SCRIPT element. JavaScript and JSON may both be escaped with
+	 * the same rules, even though there are additional escaping measures available
+	 * to JavaScript source code which aren’t applicable to serialized JSON data.
+	 *
+	 * A simple method safely escapes all content except for a few extremely rare and
+	 * unlikely exceptions: prevent the appearance of `<script` and `</script` within
+	 * the contents by replacing the first letter of the tag name with a Unicode escape.
+	 *
+	 * Example:
+	 *
+	 *     $plaintext = '<script>document.write( "A </script> closes a script." );</script>';
+	 *     $escaped   = '<script>document.write( "A </\u0073cript> closes a script." );</script>';
+	 *
+	 * This works because of how parsing changes after encountering an opening SCRIPT
+	 * tag. The actual parsing comprises a complicated state machine, the result of
+	 * legacy behaviors and diverse browser support. However, without these two strings
+	 * in the script contents, two key things are ensured: `</script>` cannot appear to
+	 * prematurely close the tag, and the problematic double-escaped state becomes
+	 * unreachable. A JavaScript engine or JSON decoder will then decode the Unicode
+	 * escape (`\u0073`) back into its original plaintext value, but only after having
+	 * been safely extracted from the HTML.
+	 *
+	 * While it may seem tempting to replace the `<` character instead, but doing so
+	 * would break JavaScript syntax. The `<` character is used in comparison operators
+	 * and other JavaScript syntax, so replacing it would break valid JavaScript.j
+	 * By replacing only the `s` in `<script` and `</script`, we avoid modifying
+	 * any JavaScript syntax.
+	 *
+	 * ### Exceptions
+	 *
+	 * This _should_ work everywhere, but there are some extreme exceptions.
+	 *
+	 *  - Comments.
+	 *  - Tagged templates, such as `String.raw()`, which provide access to “raw” strings.
+	 *  - The `source` property of a RegExp object.
+	 *
+	 * Each of these exceptions appear at the source code level, not at the semantic or
+	 * evaluation level. Normal JavaScript will remain semantically equivalent after escaping,
+	 * but any JavaScript which analyzes the raw source code will see potentially-different
+	 * values.
+	 *
+	 * #### Comments
+	 *
+	 * Comments are never unescaped because they aren’t parsed by the JavaScript engine.
+	 * When viewing the source in a browser’s developer tools, the comments will retain
+	 * their escaped text.
+	 *
+	 * Example:
+	 *
+	 *     // A comment: "</script>"
+	 *         …becomes…
+	 *     // A comment: "</\u0073cript>"
+	 *
+	 * #### Tagged templates.
+	 *
+	 * Tagged templates “enable the embedding of arbitrary string content, where escape
+	 * sequences may follow a different syntax.” For example, they can aid representing
+	 * a RegExp pattern or LaTex snippet within a JavaScript string, where the string
+	 * escape characters might get noisy and distracting.
+	 *
+	 * Example:
+	 *
+	 *     console.log( 'A \notin B' );           // Prints a newline because of the "\n".
+	 *     console.log( 'A \\notin B' );          // Prints "A \notin B".
+	 *     console.log( String.raw`A \notin B` ); // Prints "A \notin B".
+	 *
+	 * This means that if `<script` transforms into `<\u0073cript` _inside_ a raw string
+	 * or tagged template literal which relies on its `.raw` property, the output of the
+	 * code will be different after escaping.
+	 *
+	 * Example:
+	 *
+	 *     console.log( String.raw`</script>` );      // Prematurely closes the SCRIPT element.
+	 *     console.log( String.raw`</\u0073cript>` ); // Prints "</\u0073cript".
+	 *
+	 * #### RegExp sources.
+	 *
+	 * The RegExp object exposes its raw source in a similar way to how tagged templates and raw
+	 * strings do. Thankfully, because escape sequences are decoded when compiling the pattern,
+	 * escaped RegExp patterns will match the same way as the plaintext sequences would.
+	 *
+	 * Example:
+	 *
+	 *     true === /<script>/.test( '<script>' );
+	 *     true === /<\u0073cript>/.test( '<script>' );
+	 *
+	 * However, as with raw strings, any code which reads the source will see the escaped value
+	 * instead of the decoded one.
+	 *
+	 * Example:
+	 *
+	 *     console.log( /<script>/.source );      // Prints "<script>".
+	 *     console.log( /<\u0073cript>/.source ); // Prints "<\u0073cript>".
+	 *
+	 * #### Unsupported escaping.
+	 *
+	 * It is not possible to properly represent every possible JavaScript source file
+	 * inside a SCRIPT element. As with CSS stylesheets, SVG images, and MathML, the
+	 * only 100% reliable way to represent all possible inputs is to link to external
+	 * files of the given content-type.
+	 *
+	 * In some cases it’s possible to manually prevent escaping issues. These are not
+	 * automatically handled by this function because doing so would require a full
+	 * JavaScript tokenizer. Consider the following example listing various ways to
+	 * manually escape a closing script tag.
+	 *
+	 * Example:
+	 *
+	 *     console.log( String.raw`</script>` );                // !!UNSAFE!! Will be escaped.
+	 *     console.log( String.raw`</\u0073cript>` );           // "</\u0073cript>"
+	 *     console.log( String.raw`</scr` + String.raw`ipt>` ); // "</script>"
+	 *     console.log( String.raw`</${"script"}>` );           // "</script>"
+	 *     console.log( '</scr' + 'ipt>' );                     // "</script>"
+	 *     console.log( "\x3C/script>" );                       // "</script>"
+	 *     console.log( "<\/script>" );                         // "</script>"
+	 *
+	 * The following graph is a simplified interpretation of how HTML interprets the contents
+	 * of a SCRIPT tag and identifies the closing tag. It is useful to understand what text
+	 * is dangerous inside of a SCRIPT tag and why different approaches to escaping work.
+	 *
+	 *                                 Open script
+	 *                                     │
+	 *                                     ▼
+	 *                  ╔═════════════════════════════════════════╗   <!--(…)>
+	 *                  ║                                         ║   (all dashes)
+	 *                  ║                 script                  ╟────────────────╮
+	 *                  ║                  data                   ║                │
+	 *      ╭───────────╢                                         ║ ◀──────────────╯
+	 *      │           ╚═╤═══════════════════════════════════════╝
+	 *      │             │               ▲                    ▲
+	 *      │             │ <!--          │ -->                ╰─────╮
+	 *      │             ▼               │                          │
+	 *      │           ┌─────────────────┴───────────────────────┐  │
+	 *      │ </script¹ │                 escaped                 │  │
+	 *      │           └─┬─────────────────────────────┬─────────┘  │
+	 *      │             │               ▲             │            │ -->
+	 *      │             │ </script¹     │ </script¹   │ <script¹   │
+	 *      │             ▼               │             ▼            │
+	 *      │           ╔══════════════╗  │           ┌───────────┐  │
+	 *      │           ║ Close script ║  │           │  double   │  │
+	 *      ╰──────────▶║              ║  ╰───────────┤  escaped  ├──╯
+	 *                  ╚══════════════╝              └───────────┘
+	 *
+	 *           ¹ = Case insensitive 'script' followed by one of ' \t\f\r\n/>', known
+	 *               as “tag-name-terminating characters.” This sequence forms the start
+	 *               of what could be a SCRIPT opening or closing tag.
+	 *
+	 * @see https://html.spec.whatwg.org/#restrictions-for-contents-of-script-elements
+	 * @see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals#specifications
+	 * @see wp_html_api_script_element_escaping_diagram_source()
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param string $sourcecode Raw contents intended to be serialized into an HTML SCRIPT element.
+	 * @return string Escaped form of input contents which will not lead to premature closing of the containing SCRIPT element.
+	 */
+	public static function escape_javascript_script_contents( string $sourcecode ): string {
+		$at      = 0;
+		$was_at  = 0;
+		$end     = strlen( $sourcecode );
+		$escaped = '';
+
+		/*
+		 * Replace all instances of the ASCII case-insensitive match of "<script"
+		 * and "</script", when followed by whitespace or "/" or ">", by using a
+		 * character replacement for the "s" (or the "S").
+		 */
+		while ( $at < $end ) {
+			$tag_at = strpos( $sourcecode, '<', $at );
+			if ( false === $tag_at ) {
+				break;
+			}
+
+			$tag_name_at       = $tag_at + 1;
+			$has_closing_slash = $tag_name_at < $end && '/' === $sourcecode[ $tag_name_at ];
+			$tag_name_at      += $has_closing_slash ? 1 : 0;
+
+			if ( 0 !== substr_compare( $sourcecode, 'script', $tag_name_at, 6, true ) ) {
+				$at = $tag_at + 1;
+				continue;
+			}
+
+			if ( 1 !== strspn( $sourcecode, " \t\f\r\n/>", $tag_name_at + 6, 1 ) ) {
+				$at = $tag_name_at + 6;
+				continue;
+			}
+
+			$escaped .= substr( $sourcecode, $was_at, $tag_name_at - $was_at );
+			$escaped .= 's' === $sourcecode[ $tag_name_at ] ? '\u0073' : '\u0053';
+			$was_at   = $tag_name_at + 1;
+			$at       = $tag_name_at + 7;
+		}
+
+		if ( '' === $escaped ) {
+			return $sourcecode;
+		}
+
+		if ( $was_at < $end ) {
+			$escaped .= substr( $sourcecode, $was_at );
+		}
+
+		return $escaped;
+	}
+
 	/**
 	 * Updates or creates a new attribute on the currently matched tag with the passed value.
 	 *
diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php
index 32e3a70be11b6..53816599bf488 100644
--- a/src/wp-includes/script-loader.php
+++ b/src/wp-includes/script-loader.php
@@ -2872,7 +2872,14 @@ function wp_get_script_tag( $attributes ) {
 	 */
 	$attributes = apply_filters( 'wp_script_attributes', $attributes );
 
-	return sprintf( "<script%s></script>\n", wp_sanitize_script_attributes( $attributes ) );
+	$processor = new WP_HTML_Tag_Processor( '<script></script>' );
+	$processor->next_tag();
+	foreach ( $attributes as $name => $value ) {
+		if ( is_string( $value ) || true === $value ) {
+			$processor->set_attribute( $name, $value );
+		}
+	}
+	return "{$processor->get_updated_html()}\n";
 }
 
 /**
@@ -2916,7 +2923,15 @@ function wp_get_inline_script_tag( $data, $attributes = array() ) {
 	 */
 	$attributes = apply_filters( 'wp_inline_script_attributes', $attributes, $data );
 
-	return sprintf( "<script%s>%s</script>\n", wp_sanitize_script_attributes( $attributes ), $data );
+	$processor = new WP_HTML_Tag_Processor( '<script></script>' );
+	$processor->next_tag();
+	foreach ( $attributes as $name => $value ) {
+		if ( is_string( $value ) || true === $value ) {
+			$processor->set_attribute( $name, $value );
+		}
+	}
+	$processor->set_modifiable_text( $data );
+	return "{$processor->get_updated_html()}\n";
 }
 
 /**
diff --git a/tests/phpunit/data/html-api/script-element-escaping-diagram.dot b/tests/phpunit/data/html-api/script-element-escaping-diagram.dot
new file mode 100644
index 0000000000000..d83b42096366a
--- /dev/null
+++ b/tests/phpunit/data/html-api/script-element-escaping-diagram.dot
@@ -0,0 +1,30 @@
+digraph {
+	rankdir=TB;
+
+	// Entry point
+	entry [shape=plaintext label="Open script"];
+	entry -> script_data;
+
+	// Double-circle states arranged more compactly
+	data [shape=doublecircle label="Close script"];
+	script_data [shape=doublecircle color=blue label="script\ndata"];
+	script_data_escaped [shape=circle color=orange label="escaped"];
+	script_data_double_escaped [shape=circle color=red label="double\nescaped"];
+
+	// Group related nodes on same ranks where possible
+	{rank=same; script_data script_data_escaped script_data_double_escaped}
+
+	script_data -> script_data [label="<!--(…)>\n(all dashes)"];
+	script_data -> script_data_escaped [label="<!--"];
+	script_data -> data [label="</script†"];
+
+	script_data_escaped -> script_data [label="-->"];
+	script_data_escaped -> script_data_double_escaped [label="<script†"];
+	script_data_escaped -> data [label="</script†"];
+
+	script_data_double_escaped -> script_data [label="-->"];
+	script_data_double_escaped -> script_data_escaped [label="</script†"];
+
+	label="† = Case insensitive 'script' followed by one of ' \\t\\f\\r\\n/>'";
+	labelloc=b;
+}
diff --git a/tests/phpunit/data/html-api/script-element-escaping-diagram.php b/tests/phpunit/data/html-api/script-element-escaping-diagram.php
new file mode 100644
index 0000000000000..20c10f5711347
--- /dev/null
+++ b/tests/phpunit/data/html-api/script-element-escaping-diagram.php
@@ -0,0 +1,13 @@
+<?php
+
+/**
+ * This is the original Graphviz source for the SCRIPT tag
+ * parsing behavior, used in the documentation for the HTML API.
+ *
+ * @see WP_HTML_Tag_Processor::escape_javascript_script_contents()
+ *
+ * @return string
+ */
+function wp_html_api_script_element_escaping_diagram_source() {
+	return file_get_contents( __DIR__ . '/script-element-escaping-diagram.dot' );
+}
diff --git a/tests/phpunit/tests/dependencies/scripts.php b/tests/phpunit/tests/dependencies/scripts.php
index ed742f4040133..8cca03010cad2 100644
--- a/tests/phpunit/tests/dependencies/scripts.php
+++ b/tests/phpunit/tests/dependencies/scripts.php
@@ -333,8 +333,8 @@ public function test_delayed_dependent_with_blocking_dependency_not_enqueued( $s
 		// This dependent is registered but not enqueued, so it should not factor into the eligible loading strategy.
 		wp_register_script( 'dependent-script-a4', '/dependent-script-a4.js', array( 'main-script-a4' ), null );
 		$output   = get_echo( 'wp_print_scripts' );
-		$expected = str_replace( "'", '"', "<script src='/main-script-a4.js' id='main-script-a4-js' {$strategy} data-wp-strategy='{$strategy}'></script>" );
-		$this->assertStringContainsString( $expected, $output, 'Only enqueued dependents should affect the eligible strategy.' );
+		$expected = "<script src='/main-script-a4.js' id='main-script-a4-js' {$strategy} data-wp-strategy='{$strategy}'></script>";
+		$this->assertEqualHTMLScriptTagById( $expected, $output, 'Only enqueued dependents should affect the eligible strategy.' );
 	}
 
 	/**
@@ -1076,8 +1076,8 @@ public function test_various_strategy_dependency_chains( $set_up, $expected_mark
 	public function test_loading_strategy_with_defer_having_no_dependents_nor_dependencies() {
 		wp_enqueue_script( 'main-script-d1', 'http://example.com/main-script-d1.js', array(), null, array( 'strategy' => 'defer' ) );
 		$output   = get_echo( 'wp_print_scripts' );
-		$expected = str_replace( "'", '"', "<script src='http://example.com/main-script-d1.js' id='main-script-d1-js' defer data-wp-strategy='defer'></script>\n" );
-		$this->assertStringContainsString( $expected, $output, 'Expected defer, as there is no dependent or dependency' );
+		$expected = "<script src='http://example.com/main-script-d1.js' id='main-script-d1-js' defer data-wp-strategy='defer'></script>\n";
+		$this->assertEqualHTMLScriptTagById( $expected, $output, 'Expected defer, as there is no dependent or dependency' );
 	}
 
 	/**
@@ -1096,7 +1096,7 @@ public function test_loading_strategy_with_defer_dependent_and_varied_dependenci
 		wp_enqueue_script( 'main-script-d2', 'http://example.com/main-script-d2.js', array( 'dependency-script-d2-1', 'dependency-script-d2-3' ), null, array( 'strategy' => 'defer' ) );
 		$output   = get_echo( 'wp_print_scripts' );
 		$expected = '<script src="http://example.com/main-script-d2.js" id="main-script-d2-js" defer data-wp-strategy="defer"></script>';
-		$this->assertStringContainsString( $expected, $output, 'Expected defer, as all dependencies are either deferred or blocking' );
+		$this->assertEqualHTMLScriptTagById( $expected, $output, 'Expected defer, as all dependencies are either deferred or blocking' );
 	}
 
 	/**
@@ -1115,7 +1115,7 @@ public function test_loading_strategy_with_all_defer_dependencies() {
 		wp_enqueue_script( 'dependent-script-d3-3', 'http://example.com/dependent-script-d3-3.js', array( 'dependent-script-d3-2' ), null, array( 'strategy' => 'defer' ) );
 		$output   = get_echo( 'wp_print_scripts' );
 		$expected = '<script src="http://example.com/main-script-d3.js" id="main-script-d3-js" defer data-wp-strategy="defer"></script>';
-		$this->assertStringContainsString( $expected, $output, 'Expected defer, as all dependents have defer loading strategy' );
+		$this->assertEqualHTMLScriptTagById( $expected, $output, 'Expected defer, as all dependents have defer loading strategy' );
 	}
 
 	/**
@@ -1495,9 +1495,10 @@ public function test_loading_strategy_with_invalid_defer_registration() {
 		wp_enqueue_script( 'dependent-script-d4-1', '/dependent-script-d4-1.js', array( 'main-script-d4' ), null, array( 'strategy' => 'defer' ) );
 		wp_enqueue_script( 'dependent-script-d4-2', '/dependent-script-d4-2.js', array( 'dependent-script-d4-1' ), null );
 		wp_enqueue_script( 'dependent-script-d4-3', '/dependent-script-d4-3.js', array( 'dependent-script-d4-2' ), null, array( 'strategy' => 'defer' ) );
+
 		$output   = get_echo( 'wp_print_scripts' );
-		$expected = str_replace( "'", '"', "<script src='/main-script-d4.js' id='main-script-d4-js' data-wp-strategy='defer'></script>\n" );
-		$this->assertStringContainsString( $expected, $output, 'Scripts registered as defer but that have all dependents with no strategy, should become blocking (no strategy).' );
+		$expected = "<script src='/main-script-d4.js' id='main-script-d4-js' data-wp-strategy='defer'></script>\n";
+		$this->assertEqualHTMLScriptTagById( $expected, $output, 'Scripts registered as defer but that have all dependents with no strategy, should become blocking (no strategy).' );
 	}
 
 	/**
diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index 66f9e67f5c8ed..9e0d94aecd17e 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -444,17 +444,19 @@ public static function data_tokens_with_basic_modifiable_text_updates() {
 	/**
 	 * Ensures that updates with potentially-compromising values aren't accepted.
 	 *
-	 * For example, a modifiable text update should be allowed which would break
-	 * the structure of the containing element, such as in a script or comment.
+	 * For example, a modifiable text update that would change the structure of the HTML
+	 * document is not allowed, like attempting to set `-->` within a comment or `</script>`
+	 * within a text/plain SCRIPT tag.
 	 *
 	 * @ticket 61617
+	 * @ticket 62797
 	 *
 	 * @dataProvider data_unallowed_modifiable_text_updates
 	 *
 	 * @param string $html_with_nonempty_modifiable_text Will be used to find the test element.
 	 * @param string $invalid_update                     Update containing possibly-compromising text.
 	 */
-	public function test_rejects_updates_with_unallowed_substrings( string $html_with_nonempty_modifiable_text, string $invalid_update ) {
+	public function test_rejects_dangerous_updates( string $html_with_nonempty_modifiable_text, string $invalid_update ) {
 		$processor = new WP_HTML_Tag_Processor( $html_with_nonempty_modifiable_text );
 
 		while ( '' === $processor->get_modifiable_text() && $processor->next_token() ) {
@@ -466,7 +468,7 @@ public function test_rejects_updates_with_unallowed_substrings( string $html_wit
 
 		$this->assertFalse(
 			$processor->set_modifiable_text( $invalid_update ),
-			'Should have reject possibly-compromising modifiable text update.'
+			'Should have rejected possibly-compromising modifiable text update.'
 		);
 
 		// Flush updates.
@@ -486,11 +488,152 @@ public function test_rejects_updates_with_unallowed_substrings( string $html_wit
 	 */
 	public static function data_unallowed_modifiable_text_updates() {
 		return array(
-			'Comment with -->'                 => array( '<!-- this is a comment -->', 'Comments end in -->' ),
-			'Comment with --!>'                => array( '<!-- this is a comment -->', 'Invalid but legitimate comments end in --!>' ),
-			'SCRIPT with </script>'            => array( '<script>Replace me</script>', 'Just a </script>' ),
-			'SCRIPT with </script attributes>' => array( '<script>Replace me</script>', 'before</script id=sneak>after' ),
-			'SCRIPT with "<script " opener'    => array( '<script>Replace me</script>', '<!--<script ' ),
+			'Comment with -->'                        => array( '<!-- this is a comment -->', 'Comments end in -->' ),
+			'Comment with --!>'                       => array( '<!-- this is a comment -->', 'Invalid but legitimate comments end in --!>' ),
+			'Non-JS SCRIPT with <script>'             => array( '<script type="text/html">Replace me</script>', '<!-- Just a <script>' ),
+			'Non-JS SCRIPT with </script>'            => array( '<script type="text/plain">Replace me</script>', 'Just a </script>' ),
+			'Non-JS SCRIPT with <script attributes>'  => array( '<script language="text">Replace me</script>', '<!-- <script sneaky>after' ),
+			'Non-JS SCRIPT with </script attributes>' => array( '<script language="text">Replace me</script>', 'before</script sneaky>after' ),
+		);
+	}
+
+	/**
+	 * Ensures that JavaScript script tag contents are safely updated.
+	 *
+	 * @ticket 62797
+	 *
+	 * @dataProvider data_script_tag_text_updates
+	 *
+	 * @param string $html     HTML containing a SCRIPT tag to be modified.
+	 * @param string $update   Update containing possibly-compromising text.
+	 * @param string $expected Expected result.
+	 */
+	public function test_safely_updates_script_tag_contents( string $html, string $update, string $expected ) {
+		$processor = new WP_HTML_Tag_Processor( $html );
+		$this->assertTrue( $processor->next_tag( 'SCRIPT' ) );
+		$this->assertTrue( $processor->set_modifiable_text( $update ) );
+		$this->assertSame( $expected, $processor->get_updated_html() );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array[]
+	 */
+	public static function data_script_tag_text_updates(): array {
+		return array(
+			'Simple update'                         => array( '<script></script>', '{}', '<script>{}</script>' ),
+			'Needs no replacement'                  => array( '<script></script>', '<!--<scriptish>', '<script><!--<scriptish></script>' ),
+			'var script;1<script>0'                 => array( '<script></script>', 'var script;1<script>0', '<script>var script;1<\u0073cript>0</script>' ),
+			'1</script>/'                           => array( '<script></script>', '1</script>/', '<script>1</\u0073cript>/</script>' ),
+			'var SCRIPT;1<SCRIPT>0'                 => array( '<script></script>', 'var SCRIPT;1<SCRIPT>0', '<script>var SCRIPT;1<\u0053CRIPT>0</script>' ),
+			'1</SCRIPT>/'                           => array( '<script></script>', '1</SCRIPT>/', '<script>1</\u0053CRIPT>/</script>' ),
+			'"</script>"'                           => array( '<script></script>', '"</script>"', '<script>"</\u0073cript>"</script>' ),
+			'"</ScRiPt>"'                           => array( '<script></script>', '"</ScRiPt>"', '<script>"</\u0053cRiPt>"</script>' ),
+			'Tricky script open tag with \r'        => array( '<script></script>', "<!-- <script\r>", "<script><!-- <\\u0073cript\r></script>" ),
+			'Tricky script open tag with \r\n'      => array( '<script></script>', "<!-- <script\r\n>", "<script><!-- <\\u0073cript\r\n></script>" ),
+			'Tricky script close tag with \r'       => array( '<script></script>', "// </script\r>", "<script>// </\\u0073cript\r></script>" ),
+			'Tricky script close tag with \r\n'     => array( '<script></script>', "// </script\r\n>", "<script>// </\\u0073cript\r\n></script>" ),
+			'Module tag'                            => array( '<script type="module"></script>', '"<script>"', '<script type="module">"<\u0073cript>"</script>' ),
+			'Tag with type'                         => array( '<script type="text/javascript"></script>', '"<script>"', '<script type="text/javascript">"<\u0073cript>"</script>' ),
+			'Tag with language'                     => array( '<script language="javascript"></script>', '"<script>"', '<script language="javascript">"<\u0073cript>"</script>' ),
+			'Non-JS script, save HTML-like content' => array( '<script type="text/html"></script>', '<h1>This & that</h1>', '<script type="text/html"><h1>This & that</h1></script>' ),
+		);
+	}
+
+	/**
+	 * @ticket 64419
+	 */
+	public function test_complex_javascript_and_json_auto_escaping() {
+		$processor = new WP_HTML_Tag_Processor( "<script></script>\n<script></script>\n<hr>" );
+		$processor->next_tag( 'SCRIPT' );
+		$processor->set_attribute( 'type', 'importmap' );
+		$importmap_data = array(
+			'imports' => array(
+				'</SCRIPT>\\<!--\\<script>' => './script',
+			),
+		);
+
+		$importmap = json_encode(
+			$importmap_data,
+			JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_LINE_TERMINATORS
+		);
+
+		$processor->set_modifiable_text( "\n{$importmap}\n" );
+		$decoded_importmap = json_decode( $processor->get_modifiable_text(), true );
+		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'JSON failed to decode correctly.' );
+		$this->assertEquals( $importmap_data, $decoded_importmap );
+		$processor->next_tag( 'SCRIPT' );
+		$processor->set_attribute( 'type', 'module' );
+		$javascript = <<<'JS'
+import '</SCRIPT>\\<!--\\<script>';
+JS;
+		$processor->set_modifiable_text( "\n{$javascript}\n" );
+
+		$expected = <<<'HTML'
+<script type="importmap">
+{"imports":{"</\u0053CRIPT>\\<!--\\<\u0073cript>":"./script"}}
+</script>
+<script type="module">
+import '</\u0053CRIPT>\\<!--\\<\u0073cript>';
+</script>
+<hr>
+HTML;
+
+		$updated_html = $processor->get_updated_html();
+		$this->assertEqualHTML( $expected, $updated_html );
+
+		// Reprocess to ensure JSON survives HTML round-trip:
+		$processor = new WP_HTML_Tag_Processor( $updated_html );
+		$processor->next_tag( 'SCRIPT' );
+		$this->assertSame( 'importmap', $processor->get_attribute( 'type' ) );
+		$importmap_json    = $processor->get_modifiable_text();
+		$decoded_importmap = json_decode( $importmap_json, true );
+		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'Importmap JSON failed to decode.' );
+		$this->assertEquals(
+			$importmap_data,
+			$decoded_importmap,
+			'JSON was not equal after re-processing updated HTML.'
+		);
+	}
+
+	/**
+	 * @ticket 64419
+	 */
+	public function test_json_auto_escaping() {
+		// This is not a typical JSON encoding or escaping, but it is valid.
+		$json_text             = '"Escaped BS: \\\\; Escaped BS+LT: \\\\<; Unescaped LT: <; Script closer: </script>"';
+		$expected_decoded_json = 'Escaped BS: \\; Escaped BS+LT: \\<; Unescaped LT: <; Script closer: </script>';
+		$decoded_json          = json_decode( $json_text );
+		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'JSON failed to decode.' );
+		$this->assertSame(
+			$expected_decoded_json,
+			$decoded_json,
+			'Decoded JSON did not match expected value.'
+		);
+
+		$processor = new WP_HTML_Tag_Processor( '<script type="application/json"></script>' );
+		$processor->next_tag( 'SCRIPT' );
+
+		$processor->set_modifiable_text( "\n{$json_text}\n" );
+
+		$expected = <<<'HTML'
+<script type="application/json">
+"Escaped BS: \\; Escaped BS+LT: \\<; Unescaped LT: <; Script closer: </\u0073cript>"
+</script>
+HTML;
+
+		$updated_html = $processor->get_updated_html();
+		$this->assertEqualHTML( $expected, $updated_html );
+
+		// Reprocess to ensure JSON value survives HTML round-trip:
+		$processor = new WP_HTML_Tag_Processor( $updated_html );
+		$processor->next_tag( 'SCRIPT' );
+		$decoded_json_from_html = json_decode( $processor->get_modifiable_text(), true );
+		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'JSON failed to decode.' );
+		$this->assertEquals(
+			$expected_decoded_json,
+			$decoded_json_from_html
 		);
 	}
 }
diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
new file mode 100644
index 0000000000000..91c264765f67d
--- /dev/null
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
@@ -0,0 +1,200 @@
+<?php
+/**
+ * Unit tests covering WP_HTML_Tag_Processor script tag functionality.
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ *
+ * @group html-api
+ *
+ * @coversDefaultClass WP_HTML_Tag_Processor
+ */
+class Tests_HtmlApi_WpHtmlTagProcessorScriptTag extends WP_UnitTestCase {
+	/**
+	 * @ticket 64419
+	 *
+	 * @covers ::get_script_content_type()
+	 *
+	 * @dataProvider data_get_script_content_type
+	 *
+	 * @param string      $html         HTML containing a script tag.
+	 * @param string|null $content_type Inferred content type of SCRIPT element.
+	 */
+	public function test_get_script_content_type( string $html, ?string $content_type ) {
+		$processor = new WP_HTML_Tag_Processor( $html );
+		$processor->next_tag();
+
+		$detected = $this->get_script_content_type_with( $processor );
+
+		if ( isset( $content_type, $detected ) ) {
+			$this->assertSame(
+				$content_type,
+				$detected,
+				'Misidentified the type of contents within the SCRIPT element.'
+			);
+		} elseif ( isset( $content_type ) ) {
+			$this->assertSame(
+				$content_type,
+				$detected,
+				'Should have identified the type of contents within the SCRIPT element but failed to recognize any type.'
+			);
+		} else {
+			$this->assertNull(
+				$detected,
+				'Should have failed to identify the type of contents within the SCRIPT element.'
+			);
+		}
+	}
+
+	/**
+	 * Data provider for test_get_script_content_type.
+	 *
+	 * @return array[]
+	 */
+	public static function data_get_script_content_type(): array {
+		return array(
+			// Script tags without type or language attributes - should be JavaScript.
+			'Script tag without attributes'              => array( '<script></script>', 'javascript' ),
+			'Script tag with other attributes'           => array( '<script id="test"></script>', 'javascript' ),
+
+			// Script tags with empty type attribute - should be JavaScript.
+			'Script tag with empty type attribute'       => array( '<script type=""></script>', 'javascript' ),
+			'Script tag with boolean type attribute'     => array( '<script type></script>', 'javascript' ),
+
+			// Script tags without type but with language attribute - should be JavaScript.
+			'Script tag with empty language attribute'   => array( '<script language=""></script>', 'javascript' ),
+			'Script tag with boolean language attribute' => array( '<script language></script>', 'javascript' ),
+
+			// Script tags with falsy but non-empty language attribute.
+			'Script tag with language="0"'               => array( '<script language="0"></script>', null ),
+
+			// Script tags with JavaScript MIME essence - should be JavaScript.
+			'Script tag with application/ecmascript'     => array( '<script type="application/ecmascript"></script>', 'javascript' ),
+			'Script tag with application/javascript'     => array( '<script type="application/javascript"></script>', 'javascript' ),
+			'Script tag with application/x-ecmascript'   => array( '<script type="application/x-ecmascript"></script>', 'javascript' ),
+			'Script tag with application/x-javascript'   => array( '<script type="application/x-javascript"></script>', 'javascript' ),
+			'Script tag with text/ecmascript'            => array( '<script type="text/ecmascript"></script>', 'javascript' ),
+			'Script tag with text/javascript'            => array( '<script type="text/javascript"></script>', 'javascript' ),
+			'Script tag with text/javascript1.0'         => array( '<script type="text/javascript1.0"></script>', 'javascript' ),
+			'Script tag with text/javascript1.1'         => array( '<script type="text/javascript1.1"></script>', 'javascript' ),
+			'Script tag with text/javascript1.2'         => array( '<script type="text/javascript1.2"></script>', 'javascript' ),
+			'Script tag with text/javascript1.3'         => array( '<script type="text/javascript1.3"></script>', 'javascript' ),
+			'Script tag with text/javascript1.4'         => array( '<script type="text/javascript1.4"></script>', 'javascript' ),
+			'Script tag with text/javascript1.5'         => array( '<script type="text/javascript1.5"></script>', 'javascript' ),
+			'Script tag with text/jscript'               => array( '<script type="text/jscript"></script>', 'javascript' ),
+			'Script tag with text/livescript'            => array( '<script type="text/livescript"></script>', 'javascript' ),
+			'Script tag with text/x-ecmascript'          => array( '<script type="text/x-ecmascript"></script>', 'javascript' ),
+			'Script tag with text/x-javascript'          => array( '<script type="text/x-javascript"></script>', 'javascript' ),
+
+			// Case-insensitive matching for JavaScript MIME essence.
+			'Script tag with UPPERCASE type'             => array( '<script type="TEXT/JAVASCRIPT"></script>', 'javascript' ),
+			'Script tag with MixedCase type'             => array( '<script type="Text/JavaScript"></script>', 'javascript' ),
+			'Script tag with APPLICATION/JAVASCRIPT'     => array( '<script type="APPLICATION/JAVASCRIPT"></script>', 'javascript' ),
+
+			// Script tags with module type - should be JavaScript.
+			'Script tag with module type'                => array( '<script type="module"></script>', 'javascript' ),
+			'Script tag with MODULE type uppercase'      => array( '<script type="MODULE"></script>', 'javascript' ),
+			'Script tag with MoDuLe type mixed case'     => array( '<script type="MoDuLe"></script>', 'javascript' ),
+
+			// Script tags with whitespace around type - should strip whitespace.
+			'Script tag with leading whitespace'         => array( '<script type=" text/javascript"></script>', 'javascript' ),
+			'Script tag with trailing whitespace'        => array( '<script type="text/javascript "></script>', 'javascript' ),
+			'Script tag with surrounding whitespace'     => array( '<script type=" text/javascript "></script>', 'javascript' ),
+			'Script tag with tab whitespace'             => array( "<script type=\"\ttext/javascript\t\"></script>", 'javascript' ),
+			'Script tag with newline whitespace'         => array( "<script type=\"\ntext/javascript\n\"></script>", 'javascript' ),
+			'Script tag with mixed whitespace'           => array( "<script type=\" \t\ntext/javascript \t\n\"></script>", 'javascript' ),
+
+			// Script tags with language attribute and non-empty value - should use text/{language}.
+			'Script tag with language="javascript"'      => array( '<script language="javascript"></script>', 'javascript' ),
+			'Script tag with language="JavaScript"'      => array( '<script language="JavaScript"></script>', 'javascript' ),
+			'Script tag with language="ecmascript"'      => array( '<script language="ecmascript"></script>', 'javascript' ),
+			'Script tag with language="jscript"'         => array( '<script language="jscript"></script>', 'javascript' ),
+			'Script tag with language="livescript"'      => array( '<script language="livescript"></script>', 'javascript' ),
+
+			// Whitespace is not trimmed in the language attribute.
+			'Script tag with language=" javascript"'     => array( '<script language=" javascript"></script>', null ),
+
+			// JSON MIME types - should be JSON.
+			'Script tag with application/json type'      => array( '<script type="application/json"></script>', 'json' ),
+			'Script tag with text/json type'             => array( '<script type="text/json"></script>', 'json' ),
+
+			// importmap and speculationrules - should be JSON.
+			'Script tag with importmap type'             => array( '<script type="importmap"></script>', 'json' ),
+			'Script tag with speculationrules type'      => array( '<script type="speculationrules"></script>', 'json' ),
+
+			// Case-insensitive matching for JSON types.
+			'Script tag with APPLICATION/JSON uppercase' => array( '<script type="APPLICATION/JSON"></script>', 'json' ),
+			'Script tag with Text/Json mixed case'       => array( '<script type="Text/Json"></script>', 'json' ),
+			'Script tag with IMPORTMAP uppercase'        => array( '<script type="IMPORTMAP"></script>', 'json' ),
+			'Script tag with ImportMap mixed case'       => array( '<script type="ImportMap"></script>', 'json' ),
+			'Script tag with SPECULATIONRULES uppercase' => array( '<script type="SPECULATIONRULES"></script>', 'json' ),
+			'Script tag with SpeculationRules mixed'     => array( '<script type="SpeculationRules"></script>', 'json' ),
+
+			// Script tags with falsy but non-empty type attribute.
+			'Script tag with type="0"'                   => array( '<script type="0"></script>', null ),
+
+			// Unknown types should return null.
+			'Script tag with unknown MIME type'          => array( '<script type="text/plain"></script>', null ),
+			'Script tag with application/xml type'       => array( '<script type="application/xml"></script>', null ),
+			'Script tag with random type'                => array( '<script type="random/type"></script>', null ),
+
+			// Non-script tags - unknown content type.
+			'DIV tag'                                    => array( '<div></div>', null ),
+			'SPAN tag'                                   => array( '<span></span>', null ),
+			'P tag'                                      => array( '<p></p>', null ),
+		);
+	}
+
+	/**
+	 * @ticket 64419
+	 *
+	 * @covers ::get_script_content_type()
+	 */
+	public function test_get_script_content_type_returns_null_before_finding_tags() {
+		$processor = new WP_HTML_Tag_Processor( 'Just some text' );
+		$processor->next_token();
+
+		$this->assertNull(
+			$this->get_script_content_type_with( $processor ),
+			'Should fail to infer a content type when not matched on a SCRIPT element.'
+		);
+	}
+
+	/**
+	 * @ticket 64419
+	 *
+	 * @covers ::get_script_content_type()
+	 */
+	public function test_get_script_content_type_returns_null_for_non_html_namespace() {
+		$processor = new WP_HTML_Tag_Processor( '<script></script>' );
+		$processor->change_parsing_namespace( 'svg' );
+		$processor->next_tag();
+
+		$this->assertSame(
+			'SCRIPT',
+			$processor->get_tag(),
+			'Expected to find a SCRIPT tag in the SVG namespace: check test setup.'
+		);
+
+		$this->assertNull(
+			$this->get_script_content_type_with( $processor ),
+			'Should fail to infer content type for SCRIPT elements in non-HTML namespace'
+		);
+	}
+
+	/**
+	 * Test helper to call private script content type getter.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param WP_HTML_Tag_Processor $processor Call the private method on this instance.
+	 * @return string|null Script content type if matched and recognized, else `null`.
+	 */
+	private static function get_script_content_type_with( WP_HTML_Tag_Processor $processor ) {
+		$getter = function () {
+			return $this->get_script_content_type();
+		};
+
+		return $getter->call( $processor );
+	}
+}